Crime of opportunity: Are businesses leaving the front door open for cyber criminals?

Cyber crime

Andy Barratt, UK managing director of cyber security consultancy Coalfire, highlights some of the ways hackers are using Covid-19 to target businesses and how firms can protect themselves and their employees online during the crisis.

A crime of opportunity is a crime with little or no premeditation. It is committed without prior planning in the moment when the perpetrator sees a chance to act. A convenience store that staff forgot to lock up after closing, a ground floor window left open in an empty home.

Online, Covid-19 has created a plethora of open windows and unlocked doors for cyber criminals, even if sliding through them requires slightly more planning than the real-world examples mentioned above.

The UK’s National Cyber Security Centre (NCSC) launched a new suspicious email reporting platform in April and, within a month, members of the public had flagged more than 160,000 Covid-19-related scams via the portal.

Cyber criminals vary in capability from the sophisticated and organised to the isolated and opportunist. When they see an opportunity – a path of low resistance – be assured that they will act upon it.  The scale of devastation that follows is usually aligned with their capabilities and tactics.

Criminals figured out quickly that many of us are glued to the breaking news and real-time social media coverage of the pandemic and are more likely to open updates from what appear to be trusted sources without scrutinising them first.

A recent Android app, for example, claiming to be a map of Coronavirus cases, turned out to be ransomware that changed the user’s password, blocked access, and charged a fee to unlock the device.

There has even been spyware – a malicious piece of code that infiltrates a device, tracks the user’s internet behaviour and steals sensitive information – designed using actual data from the John Hopkins University’s Coronavirus tracking map. Under the guise of this well-respected institution, the software requested everything from files and locations to camera and microphone access from those who downloaded it.

These, and the countless other examples out there, should cause concern for businesses. Millions of people in the UK have gone from five days a week in the office to working remotely full-time. This means that, whenever we are online at home, we are more likely to be doing so with a company-owned device or accessing our employer’s systems and databases.

This makes it significantly more likely that business IP will become a casualty of cyberattacks aimed at private individuals. But it also creates new avenues through which hackers can target companies directly.

Employees are likely to have even less interaction with their IT departments during lockdown than they would normally, but at the same time may expect updates from them on how systems have been adapted to cater for the changes in working dynamic. They might also expect to be notified of technical issues with their work devices via email instead of face-to-face.

Cybercriminals know this and will pose as IT teams, send employees links that claim to be critical updates, and ask them to change log-in details or share company credit card information.

The NCSC has put out plenty of helpful advice on how businesses can guard against the types of attack listed here, and many others.

There are technical measures that can be taken to help prevent spoofed emails, but largely phishing attempts are successful even at a pretty low level of sophistication.

Two-factor authentication is another good preventative step. For example, requiring a password and a cryptographically-generated code to access certain systems. Other second factors could be fingerprint or retina scans which many laptops and most modern smartphones cater for.

While this won’t necessarily stop a cyber-criminal teasing a password out of an employee, it will mean that the credentials they steal are no use without the other, much harder to replicate, authentication factor.

True in so many areas of cyber security, but particularly when it comes to phishing, employees themselves have the potential to be a business’s first line of defence or its greatest vulnerability.

A comprehensive programme of training and guidance on how to spot malicious emails, combined with email filtering and grading technology, as well as knowing what to do with them, is now an essential part of any company’s relationship with its employees. Even for those firms who have such a programme in place already, thinking about how these messages could be reinforced in light of the increased risk caused by Covid-19 is advisable.

Ultimately, cyber criminals do not care how concerned we all are about the Covid-19 pandemic. All they see is an opportunity and what they can gain from exploiting it.

Preventing them from doing so requires vigilance, having the right security protocols in place and communicating regularly, clearly and securely with employees about the threats they face.